As healthcare becomes more digital, standalone software used for medical purposes is transforming patient care. This guide is based on the latest MDCG 2019‑11 (rev 1, June 2025) and international standards, outlining everything you need to develop compliant Software as a Medical Device (SaMD), from proper classification and risk assessment to robust cybersecurity and evidence-driven clinical evaluation.
What is Software as a Medical Device (SaMD)?
Software is becoming increasingly central and widespread in the healthcare industry. With a variety of technology platforms, such as personal computers, smartphones, and network servers, and effortless distribution through the internet and the cloud, two types of software are now common in clinical settings:
- Medical purposes (supporting clinical decisions)
- Non-medical uses (such as administrative or financial tasks)
Software that performs a medical function independently, without hardware, is called SaMD. It may analyze health data, suggest treatments, or assist in diagnosis.
Leading regulators, including the Food and Drug Administration (FDA) and International Medical Device Regulators Forum (IMDRF), define SaMD as software intended for medical purposes that operates on general platforms. Examples include apps that detect arrhythmias or use AI to interpret medical images.
Global Regulatory Framework for SaMD
Regulators worldwide are increasingly aligning on SaMD regulations, with a focus on software safety, effectiveness, and lifecycle management.
- In the U.S., the FDA SaMD guidance clarifies when SaMD requires premarket submissions, with emphasis on cybersecurity and clinical validation.
- The IMDRF has published a harmonized framework for the classification of SaMD, quality systems, and clinical evaluation.
- In the EU, MDCG 2019‑11 (revised June 2025) clarifies how SaMD (MDSW) fits within MDR/IVDR regulations.
Global frameworks guide manufacturers to build SaMD with safety, clinical evidence, and patient trust in mind.
What You Need to Know About Medical Device Software Regulations in the EU
The EU classifies software as either medical or non-medical based on its intended use, rather than the platform on which it operates. Any software designed to diagnose, monitor, or treat qualifies as a device under MDR.
Key MDCG Guidelines to Follow
To ensure harmonized and effective application of the MDR/IVDR regulations, the MDCG publishes guidance based on expert consensus among Notified Bodies and EU Authorities. These documents, while officially non-binding, provide practical examples, clear interpretations, and trusted references that Notified Bodies often expect manufacturers to use.
Qualification & Classification
MDCG 2019‑11 provides a decision tree to determine if the software is medical and what SaMD Classification it falls into, using factors like health impact and risk category.
Rule 11 Severity Rules
Under EU Annex VIII Rule 11, software used for diagnosis or treatment is at least Class IIa, with higher classes for high‑risk outputs. The 2025 update covers new elaboration of modules, Annex XVI Software and interoperability.
IMDRF Alignment
MDCG’s tables align IMDRF’s risk framework with EU classes, helping manufacturers globally classify SaMD correctly.
Cybersecurity Considerations in SaMD
Cyber threats can compromise patient safety, for example, hijacked insulin dosing apps. SaMD must embed security at every stage.
- The FDA’s 2025 cybersecurity guidance requires premarket documentation of threat models, secure update mechanisms, and incident response plans.
- International standards, such as IEC 62304 IEC 27032 and ISO/IEC 27000, support secure design.
- Reports suggest up to 70% of IoT devices still have severe flaws, reinforcing the need for strong cybersecurity.
Launch-ready SaMD must integrate security patches, encryption, and vulnerability management into its SaMD compliance strategy.
Post-Market Requirements for SaMD
Once in the market, SaMD must be actively managed to ensure ongoing safety:
- Track usage, complaints, and any software failures.
- Manage updates, patches, and version control in ongoing documents to ensure seamless integration and maintain consistency.
- Submit Periodic Safety Update Reports (PSURs) per MDR guidelines.
- React swiftly to field issues with corrective actions or recalls.
Maintaining these processes ensures long-term compliance with SaMD and continuity of patient safety.
Clinical Evaluation for SaMD
Every SaMD must undergo clinical evaluation to demonstrate its safety and effectiveness. According to FDA and IMDRF guidance, evaluation rests on three pillars:
- Clinical Association: Show output links meaningfully to medical conditions (e.g., evidence or expert consensus).
- Analytical Validation: Test accuracy and consistency for software algorithms.
- Clinical Validation: Use real-world or clinical study data to confirm effectiveness and improve outcomes.
Higher-class SaMD demands deeper clinical evidence. Studies show robust validation can accelerate review times by 30-40% for Class IIa products.
Final Thoughts: Navigating SaMD Compliance
Creating compliant SaMD requires a coordinated effort across multiple domains:
- Follow strong SaMD development practices from design to deployment.
- Use MDCG 2019‑11 FDA and IMDRF guidance to guide classification and submission.
- Embed cybersecurity and clinical evaluation early to avoid compliance delays.
- Maintain lifecycle vigilance through ongoing documents, user tracking, and post-market monitoring.
By aligning with SaMD regulations, manufacturers can deliver safe, trustworthy digital health products that transform care delivery.
By following global frameworks, like FDA SaMD guidance, MDCG 2019‑11, IMDRF principles, and strong clinical and cybersecurity practices, manufacturers can build and sustain high-quality SaMD compliance solutions. Maven supports this process at every stage. Let us guide you to SaMD success with clarity.
References
1. Software as a Medical Device (SaMD)
2. Software as a Medical Device (SaMD): Final Document
3. MDCG endorsed documents and other guidance
